Auth0 Home Blog Docs

How to change the access_token expiry?

jwt
management-api
access_token

#1

I’d like to change the access_token expiry to a value other than 24 hours. I’m using an SPA to access the auth0 client.

There’s a “JWT Expiration (seconds)” setting in my Auth0 client which sets the id_token timeout, but I don’t see anything to set the access_token expiry. How would I go about changing this?


#2

You can set the access_token expiry via the Dashboard in the APIs section, and then the Auth0 Management API settings.


#3

Thanks—I gave this a try and it seems like there’s a hard limit which auth0 does not allow to be configured:


#4

I was able to adjust in the Dashboard for my test tenant:


#5

Unfortunately no such luck for me:


#6

Are you able to adjust your Token Expiration For Browser Flows (Seconds) setting?


#7

Sorry, I see that I can adjust Token Expiration individually, but not Token Expiration for Browser Flows.


#8

So my apologies - the section we are both looking at is the Auth0 Management API which is a system API and is not meant to be consumed in browser-based flows. You need to create a custom API which will then allow you to update that setting.


#9

I think this is a “custom API”, at least judging by the label on the list of APIs:


#10

Ok - so currently you are unable to adjust that setting as that one has a maximum value of 86400 or the value of the other setting (if that setting is less than 86400).


#11

Sorry for the confusion—to summarize, I can set Token Expiration (Seconds) but not Token Expiration For Browser Flows (seconds):

token_expiration_for_browser_flows


#12

right - so the Token Lifetime value is set as a max of 86400 and so the browser token expires after 24h. I believe you can use CheckSession() to keep the token alive


#13

The requirement I was asked to implement is to be able to return to a session over the course of a week from browser that may have been inactive for several days without having to log back in (the JWT is stored in LocalStorage), so I don’t think CheckSession will work in this case… My understanding is that it requires a currently-valid token and an active session: https://auth0.com/docs/libraries/auth0js/v9#using-checksession-to-acquire-new-tokens


#14

At this time an authentication session at the Auth0 service (one that can be leveraged by checkSession) will last until the maximum lifetime is reached (configured through SSO Cookie Timeout setting in the advanced tenant settings) or the maximum inactivity time out is reached (currently set to three days and non-configurable).

In addition, and as you experienced the Token Expiration For Browser Flows (Seconds) has a hard limit of 86400 (24 hours); the maximum allowed can be less depending on how Token Expiration (Seconds) is set, but it can never be greater than 86400.

Taking in consideration the limit in the token expiration and the non-configurable inactivity timeout on the session it’s currently not possible to guarantee the requirement that a SPA is able to maintain an active local session through a complete week without asking the user to login again. It may be possible if the user is active every other day, but this is not guaranteed. I know there’s planned work on giving more control over the authentication session at the Auth0 service which could make the current inactivity timeout irrelevant and then allow the use of checkSession to meet that requirement, but at this time I don’t believe that is possible.


#15

Hello,

hopefully you do understand that limiting logins to 24h is a HUGE issue and HUGE show-stopper for many of your customers who did NOT have it before April 2018 and only got it after recent upgrades (those upgrades were not optional, and the info about 24h limitation was not in upgrade email, so we had to realize new limitation simply by experiencing it as a bug that turned later on a “feature”).

Can you please elaborate on how to use checkSession() to mitigate it? It is a simple as periodically calling webAuth.checkSession() w/o parameters, here webAuth being the same javascript object initiated with var webAuth = new auth0.WebAuth({…}) ?

Best regards